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Abstract. We develop a theory of contracting systems, where behavioural con- 
tracts may be violated by dishonest participants after they have been agreed upon 
— unlike in traditional approaches based on behavioural types. We consider the 
contracts of [9], and we embed them in a calculus that allows distributed partici- 
pants to advertise contracts, reach agreements, query the fulfilment of contracts, 
and realise them (or choose not to). Our contract theory makes explicit who is 
culpable at each step of a computation. A participant is honest in a given context 
S when she is not culpable in each possible interaction with S. Our main result is a 
sufficient criterion for classifying a participant as honest in all possible contexts. 



1 Introduction 

Contracts are abstract descriptions of the behaviour of services. They are used to com- 
pose services which are compliant according to some semantic property, e.g. the ab- 
sence of deadlocks [5, 8, 9], the satisfacion of a set of constraints [7], or of some logical 
formula [1,3, 14]. Most of the existing approaches tacitly assume that, once a set of 
compliant contracts has been found, then the services that advertised such contracts 
will behave accordingly. In other words, services are assumed to be honest, in that they 
always respect the promises made. 

In open and dynamic systems, the assumption that all services are honest is not 
quite realistic. In fact, services have different individual goals, are made available by 
different providers, and possibly do not trust each other. What happens is that services 
agree upon some contracts, but may then violate them, either intentionally or not. Since 
this situation may repeatedly occur in practice, it should not be dealt with as the failure 
of the whole system. Instead, contract violations should be automatically detected and 
sanctioned by the service infrastructure. 

The fact that violations may be sanctioned gives rise to a new kind of attacks, that 
exploit possible discrepancies between the promised and the runtime behaviour of ser- 
vices. If a service does not accurately behave as promised, an attacker can induce it to a 
situation where the service is sanctioned, while the attacker is reckoned honest. A cru- 
cial problem is then how to avoid that a service results culpable of a contract violation, 
despite of the honest intentions of its developer. More formally, the problem is that of 
deciding if a process realizes a contract: when this holds, the process is guaranteed to 
never be culpable w.r.t. the contract in all the possible execution contexts. 

In this paper we develop a formal theory of contract-oriented systems that enjoys 
a sound criterion for establishing if a process always realizes its contracts. Our theory 



combines two basic ingredients: a calculus of contracts, and a calculus of processes 
that use contracts to interact. Contracts are used by distributed participants to reach 
agreements; once stipulated, participants can inspect them and decide what to do next. 

Ideally, a honest participant is supposed to harmoniously evolve with her contracts; 
more realistically, our theory also encompasses computations of dishonest participants, 
which may violate at run-time some contracts they have stipulated. A remarkable result 
(Theorem 2) is that it is always possible to detect who is culpable of a contract viola- 
tion at each state of a computation. Also, a participant can always exculpate herself by 
performing the needed actions (Theorems 1 and 3). 

Notably, instead of defining an ad-hoc model, we have embedded the contract calcu- 
lus in [9] within the process calculus CO2 [2]. To do that, the contracts of [9] have been 
slightly adapted to define culpability, and CO2 has been specialized to use these con- 
tracts. We have formalised when a participant realizes a contract in a given context, i.e. 
when she is never (irreparably) culpable in computations with that context, and when 
she is honest, i.e. when she realizes all her contracts, in all possible contexts. The prob- 
lem of deciding whether a participant is honest is undecidable, in general (Theorem 4). 
Indeed, one would have to check infinitely many contexts. Furthermore, participants 
themselves are infinite state systems, which feature recursion and parallel composition. 
Our main contribution (Theorem 6) is a sound criterion for detecting when a partici- 
pant is honest. Technically this is achieved by defining a semantics of participants that 
abstracts away the behaviour of the context. Such semantics allows us to define when a 
participant fulfills her contracts, even in the presence of dishonest participants. 

2 A calculus of contracts 

We assume a finite set of participant names (ranged over by A, B, . . .) and a denumerable 
set of atoms (ranged over by a, b, . . .). We postulate an involution co(a), also written as 
a, extended to sets of atoms in the natural way. 

Def. 1 introduces the syntax of contracts, taking inspiration from [9]. We distin- 
guish between (unilateral) contracts c, which model the promised behaviour of a single 
participant, and bilateral contracts y, which combine the contracts of two participants. 

Definition 1. Unilateral contracts are defined by the following grammar: 

c,d :: = ^^a,;c,- | ^aj.Cj | ready a.c | recX.c | X 

iei iei 

where (i) the index set I is finite; (ii) the atoms in {a, } iG / are pairwise distinct; (Hi) 
the ready prefix may appear at the top-level, only; (iv) recursion is guarded. 

Let ebe a distinguished atom such that e = e and whose continuation is the contract 
E = rec X. e ; X. We say that c succeeds iff either c = e ; E © d, or c = e .E + d, or 
c = ready e. E. We will omit trailing occurrences ofE in contracts. 

Bilateral contracts are terms of the form A says c | B says d, where A 7^ B and at 
most one occurrence of ready is present. 

Intuitively, the internal sum 0, e / a, ; c, allows to choose one of the branches a, ; c,, 
to perform the action a,, and then behave according to c,. Dually, the external sum 
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A says (a ; c © c') | B says (a . d + rf') a » A says c | B iayi - ready a.d 

A .sayi (a ; c © c') | B says a ; d A a » a sa y S c | g ia -y S ready a.d 
A .siry.? (a . c + c') | B says (a.d + d') A "'" a » A says c | B ja^i - ready a.d 

A says ready a. c \ B says a 1 — » A says c \ d says a 

a^co({b,}, g/ ) 

A says a ; c © c' | B says Y,iel • <k — ™' U a » A says E | B says 

{a}/ co ({b,}, g/ ) 

A says a ; c © c' | B says ©, e / bj ; d,- — myS 3 » A says £ | B say^ 

({a}U{a,}, e/ ) n co({Mfe/) = 

A says (a . c + a i - c i) I B says £ j6 j b; . d; ^- 3 > A says E \ B says 



Fig. 1. Semantics of contracts (rules for B actions omitted) 

Yiiel a ' • c ' constrains to wait for the other participant to choose one of the branches a, . c, , 
then to perform the corresponding a,- and finally behave according to c;. Separators ; 
and . allow us to distinguish singleton internal sums (e.g., a; c) from singleton external 
sums (e.g., a . c). The atom e (for "end") enables a participant to successfully terminate, 
similarly to [9]. This will be reflected in Def. 4. Hereafter, we shall always consider 
contracts with no free occurrences of recursion variables X. We shall use the binary 
operators to isolate a branch in a sum: e.g. (a ; c) © c' where c' is an internal sum. 

The evolution of bilateral contracts is modelled by a labelled transition relation — » 
(Def. 2), where labels /j — A says a model a participant A performing the action a. 

Definition 2. The relation — on bilateral contracts is the smallest relation closed 
under the rules in Fig. 1 and under the structural congruence relation = defined as 
the least congruence which includes a-conversion of recursion variables, and satisfies 
rec X. c = c{ recX c /x} and 0, e 0a,-; c,- = L( G a ; -C/- Accordingly, empty sums (either 
internal or external) will be denoted with 0. We will not omit trailing occurrences ofO. 
Hereafter we shall consider contracts up to =. 

In the first three rules in Fig. 1, A and B expose complementary actions a, a. In 
rule [IntExt], participant A selects the branch a in an internal sum. Participant B is 
then forced to commit to the corresponding branch a in his external sum: this is done 
by marking that branch with ready a while discarding all the other branches. Participant 
B will then perform his action in the subsequent step, by rule [Rdy]. In rule [IntInt], 
both participants make an internal choice; a reaction is possible only if one of the two is 
a singleton — B in the rule — namely he can only commit to his unique branch. Were B 
exposing multiple branches, the transition would not be allowed, to account for the fact 
that B could pick a conflicting internal choice w.r.t. that of A. In rule [ExtExt], both 



[IntExt] 
[IntInt] 
[ExtExt] 
[Rdy] 

[IntExtFail] 
[IntIntFail] 
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participants expose external sums with complementary actions, and each of the two can 
choose a branch (unlike in the case [IntExt], where the internal choice has to move 
first). In the [*Fail] rules, the action chosen by A is not supported by B. Then, A will 
reach the success state E, while B will fall into the failure state 0. 

Example 1. Let y = Asays (a; ci ©b; C2) | Bsays (a. d\ -\-t.d%). If the participant A in- 
ternally chooses to perform a, then y will take a transition to A says c\ | B says ready &.d\ . 
Suppose instead that A chooses for perform b, which is not offered by B in his external 
choice. In this case, y will take a transition to A says E | B says 0, where indicates that 
B cannot proceed with the interaction. Coherently with [9], below we will characterise 
this behaviour by saying that the contracts of A and B are not compliant. 

The following lemma states that bilateral contracts are never stuck unless both par- 
ticipants have contract 0. Actually, if none of the first four rules in Fig. 1 can be applied, 
the contract can make a transition with one of the [*Fail] rules. 

Lemma 1. A bilateral contract A says c | B says d is stuck iff c = d = 0. 

Below we establish that contracts are deterministic. This is guaranteed by the re- 
quirement (//) of Def. 1. Determinism is a very desirable property indeed, because it 
ensures that the duties of a participant at any given time are uniquely determined by the 
past actions. Note that the contracts in [9] satisfy distributivity laws like a; c©a; d = 
a; c®d, which allow for rewriting them so that (z'z) in Def. 1 holds. Therefore, (ii) is 
not a real restriction w.r.t. [9]. 

Lemma 2 (Determinism). For all y, ify A» y 1 and y A» y", then y 1 = y". 

Compliance. Below we define when two contracts are compliant, in a similar fashion 
to [9]. Intuitively, two contracts are compliant if whatever sets of choices they offer, 
there is at least one common option that can make the contracts progress. Differently 
from [9], our notion of compliance is symmetric, in that we do not discriminate between 
the participant roles as client and server. Consequently, we do not consider compliant 
two contracts where only one of the parties is willing to terminate. For example, the 
buyer contract ship; E is not compliant with the seller contract ship. pay; E, because 
the buyer should not be allowed to terminate if the seller still requires to be paid. 

Similarly to [9], given two contracts we observe their ready sets (Def. 3) to detect 
when the enabled actions allow them to synchronise correctly. 

Definition 3 (Compliance). For all contracts c, we define the set of sets RS(c) as: 

RS(0) = {0} RS(readya.c) = {{ready}} RS(recX. c) =RS(c) 

/?5(© i . 6/ a i ;c i ) = {{a i } I ieljifl^Q RS^a^.a) = {{a* | iel}}ifl^<& 

The relation Cxi between contracts is the largest relation such that, whenever c tx] d: 

(1) VX£RS(c),y eRS{d).co{X)r\<y or ready e(IUj)\(in^) 

(2) A says c | B says d A> A says c' | B says d' => c' cxi d' 

When Old, we say that the contracts c and d are compliant. 
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Example 2. Recall from Ex. 1 the contracts c = a; c\ ©b; ci and d = a.c/i ^t.d^. We 
have that RS(c) = {{a}, {b}}, and RS(d) = {{a,c}}, which do not respect item (1) of 
Def. 3 (take X = {b} and y = {a,c}). Therefore, c and d are not compliant. 

The following lemma provides an alternative characterization of compliance. Two 
contracts are compliant iff, when combined into a bilateral contract y, no computation 
of y reaches a state where one of the contracts is 0. Together with Lemma 1, we have 
that such y will never get stuck. 

Lemma 3. For all bilateral contracts y = A says c | B says d: 

ctxid (yc',d'. y-»* A says c | B says d! => c / and d' ^ 0) 

The following lemma guarantees, for all c not containing 0, the existence of a con- 
tract d compliant with c. Intuitively, we can construct d from c by turning internal 
choices into external ones (and viceversa), and by turning actions into co-actions. 

Lemma 4. For all 0-free contracts c, there exists d such that ctxid. 

Culpability. We now tackle the problem of determining who is expected to make the 
next step for the fulfilment of a bilateral contract. We call a participant A culpable in y 
if she is expected to perform some action so to make y progress. Also, we consider A 
culpable when she is advertising the "failure" contract 0. This agrees with our [*Fail] 
rules, which set A's contract to when the other participant legitimately chooses an 
action not supported by A. Note that we do not consider A culpable when her contract 
has enabled e actions. 

Definition 4. A participant A is culpable inj=A says c | B says d, written A x y iff: 



When A is not culpable in y we write A ^ y. 

The following result states that a participant A is always able to recover from cul- 
pability by performing some of her duties. Furthermore, this requires at most two steps 
in an "A-solo" trace where no other participant intervenes. 

Definition 5. Let — > be an LTS with labels of the form A,- says (■ ■ • ),for A,- ranging over 
participants names. For all A, we say that a -^-trace T| is A-solo iff r\ only contains 
labels of the form A says (•••). If T| = (/ii)/eo..«> we will write \ for ^> • • • 

Theorem 1 (Contractual exculpation). For all y = A says c | B says d with 0-free c, 
there exists "/ and A-solo r| with \r\ \ < 2 such that y A» Y and A ^ 

A crucial property of culpability is to ensure that either two participants are both 
succeeding, or it is possible to single out who has to make the next step. An external 
judge is therefore always able to detect who is violating the contracts agreed upon. 



c = V 




A 3a. y 
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commutative monoidal laws for [ on processes and systems 
u[(v)P] = (v)u[P] ifu^v Z\(u)Z' = (u)(Z\Z') if u fv(Z) U fn(Z) (w)(v)Z = (v)(u)Z 
{u)Z = Z if u (jL fv(Z) U fn(Z) A [A] | A[P] = A[K \ P] | s c = = fuse., . P 

Fig. 2. Structural equivalence for CO2 (Z,Z' range over systems or processes) 

Theorem 2. For all c,d if ctxid and A says c | B says d — w* y — A says c' | B says d' , 
then either c' and d' succeed, or A X y, orBXj. 

Example 3. A participant might be culpable even though her contract succeeds. For 
instance, let y — A says c | B says d, where c = e + a and d = a + b. By Def. 1 we have 
that c succeeds, but A is culpable in y because she cannot fire e, while she can fire a by 
rule [ExtExt]. This makes quite sense, because A is saying that she is either willing to 
terminate or to perform a, but the other participant is not allowing A to terminate. Note 
that also B is culpable, because he can fire a. 



3 A Calculus of Contracting Processes 

We now embed the contracts introduced in § 2 in a specialization of the parametric 
process calculus CO2 [2]. Let V and fA£ be two disjoint countably infinite sets of ses- 
sion variables (ranged over by x,y, . . .) and session names (ranged over by s,t, . . .). Let 
u. v, . . . range over V U 

Definition 6. The abstract syntax of CO2 is given by the following productions: 



Systems 


S 


:= 


A[P] 


s[y] 


S | S 


Processes 


P 


: = iu A says c 




P\P 


(u)P 


Prefixes 


K 


:= x 


te\\ A U c 


fuse„ 


do„a 



The only binder for session variables and names is the delimitation (both in systems 
and processes). Free variables/names are defined accordingly, and they are denoted by 
fv(_) and fn(_). A system or a process is closed when it has no free variables. 

Systems are the parallel composition of participants A[P] and sessions s[y\. 

A latent contract \. x A says c represents a contract c (advertised by A) which has 
not been stipulated yet; upon stipulation, x will be instantiated to a fresh session name. 
We impose that in a system A[P] \ A[Q] | S, either P or Q is a parallel composition 
of latent contracts. Hereafter, K,K',... are meta-variables for compositions of latent 
contracts. We allow prefix-guarded finite sums of processes, and write 7ii.Pi +7C2-P2 
for ]Ci=i 2 7t !-^ > i> an d f° r Recursion is allowed only for processes; for this we 
stipulate that each process identifier X has a unique defining equation X(u\ , . . . , uj) = P 
such that fv(P) C {u\, . . . ,uj} C V and each occurrence of process identifiers in P is 
prefix-guarded. 
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A[i.P + P'\Q}^A[P\Q] 

A[te\\ B l x c.P + P' | Q] -> A[P | Q] | B[4 A says c] 

K >° (y,K') u = dom(a) s = a(x) fresh 
(u)(A{fuse x .P+P> \K\Q]\S)^ (s)(A[P \ Q \ K']o \ s[y] \ So) 

A sa ys a , 
' — »y 



Y_ 

s[y] | A[do. 5 a.P + P' \Q] ->s[-/} | A[P | Q] 

Yt_$ 

A[ask s <|>./> + />' | G] | -> A[P | Q] \ s[y] 



X(u)^P Pf/ut^ 



[Def] 



s^s' 



S S" S' 5' 



TTW [ PAR ] 



[TAU] 

[Tell] 
[Fuse] 

[Do] 

[Ask] 
S->S' 



(u)S (u)S' 



t [Del] 



Fig. 3. Reduction semantics of CO2 



Prefixes include silent action x, contract advertisement tel Ia \. u c, contract stipulation 
fuse„, action execution do„ a, and contract query ask„(j). In each prefix Jt 7^ x, u refers to 
the target session involved in the execution of Jt. We omit trailing occurrences of 0. 

Note that participants can only contain latent contracts, while sessions can only 
contain bilateral contracts, constructed from latent contracts upon reaching agreements. 

The semantics of CO2 is formalised by a reduction relation — » on systems that relies 
on the structural congruence defined in Fig. 2, where the last law allows for collecting 
garbage terms possibly arising from variable substitutions. 

Definition 7. The relation — > is the smallest relation closed under the rules of Fig. 3, 
defined over systems up to structural equivalence, as defined in Fig. 2. The relation 
K >° (y,K') holds iff (/) K has the form ,L A says c |4- z B says d \ K', (ii) c xi d, (Hi) 
y = A says c \ B says d, and (z'v) O — { s /x,y,z} maps all x,y,z S V to s S 

Rule [Tau] simply fires a x prefix as expected. Rule [Tell] advertises a latent con- 
tract 4.2 A says c, by putting it in parallel with the existing participants and sessions (the 
structural congruence laws in Fig. 2 allow for latent contracts to float in a system and, 
by the second last law, to move across the boxes of participants as appropriate). Rule 
[Fuse] finds agreements among the latent contracts K of A; an agreement is reached 
when K contains a bilateral contract y whose unilater contracs are compliant (cf. Def. 7). 
Note that, once the agreement is reached, the compliant contracts start a fresh session 
containing y. Rule [Do] allows a participant A to fulfill her contract y, by performing 
the needed actions in the session containing y (which, accordingly, evolves to /). Rule 
[Ask] checks if a condition (j) holds in a session. The actual nature of (j) is almost imma- 
terial in this paper: the reader may assume that (j) is a formula in an LTL logic [12]. For 
closed y and (|), y h (j) holds iff y \=ltl ^ according to the standard LTL semantics where, 
for a — »-trace r| = (y -V y+i ),■ from yo = y, we define r| |= a 3A. /jq = A says a. 
The last three rules are standard. 
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Hereafter it will be sometimes useful to record the prefix Jt fired by A by implicitly 
decorating the corresponding reduction step, as in Aiays% y ^ 

The rest of this section is devoted to a few examples that highlight how bilateral 
contracts can be used in CO2. 

Example 4. Consider an online store A with the following contract c&: buyers can add 
items to the shopping cart, and then either leave the store or pay with a credit card. 
Assume the store modelled as the CO2 process Pa = (*) (tellA^.v ca-X fuse Y ), where: 

ca = recZ. addToCart.Z + creditCard. (ok ©no) + e 

X = do A addToCart.X + do A creditCard. (T.do A ok + T.do A no) 

Let B be a buyer with contract cb = addToCart; creditCard; (ok+ no), and let: 

= (>') tel U i y cb-Y Y = doy addToCart. do v creditCard. do v ok 

A possible, successful, computation of the system S = A [Pa] | B[Pb] is the following: 

S ->*(x,y) (A[i x A says c A \i y B says c B | fuse.,- | X] | B[F]) 
-> (s) {A[X{s/x}] I B[Y{s/ y }] I s[Asaysc A | B says c B ]) 

->•*(*) (A[X{y.r}] I B[do. s creditCard. do y ok] | s[Asaysc A | B says creditCard; (ok+no)]) 
-t*(s) (A[x.do A ok + T.do A no] | B[do y ok] | s[A says ok© no | B says ok+no]) 
—5- (s) (A[do A ok] I B[do y ok] | s[A says ok© fio | B says ok + no]) 
-)-*(i) (A[0] I B[0] I s[A saysE B says E}) 

Example 5. An on-line store A offers buyers two options: clickPay or clickVoucher. If a 
buyer B chooses clickPay, A accepts the payment (pay) otherwise A checks the validity 
of the voucher with V, an electronic voucher distribution and management system. If V 
validates the voucher, B can use it (voucher), otherwise he will pay. 

The contracts c A = clickPay.pay + clickVoucher. (reject; pay © accept; voucher) and 
c' A = ok + no model the scenario above. A CO2 process for A can be the following 

Pa = (x)(tellA|. r CA-(do A clickPay.do. v pay + do x clickVoucher. ((y)tellvlv c 'a-X))) 
X = do y ok.do A accept. do. T voucher + do v no.do A reject.do x pay + x.do A reject.do A pay 

Contract ca (resp. c A ) is stipulated when (/) B (resp. V) advertises to A (resp. V) a 
contract d with c A txi d (resp. c' A dxi d) and (ii) a fuse, is executed in A (resp. V). 

Variables x and y in Pa correspond to two separate sessions, where A respectively 
interacts with B and V. The semantics of CO2 ensures that x and y will be instantiated 
to different session names (if at all). 

The advertisement of c' A causally depends on the stipulation of the contracts of A 
and B, otherwise A cannot fire do A clickVoucher. Instead, A and B can interact regardless 
the presence of V since tel lv i y c' A is non blocking and the T-branch of A in X is enabled 
(letting A to autonomously reject the voucher, e.g. because B is not entitled to use it). 
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Example 6. Consider a travel agency A which queries in parallel an airline ticket broker 
F and a hotel reservation service H in order to complete the organization of a trip. The 
travel agency service A[P] can be defined as follows: 

P= (jc,y)(tellF>U ticket; (commitF©abortF).X | tell H | v hotel; (commitH©abortH).5 / ) 
X = do x ticket. ((ask y true. do x corr\m\{F) + x.do A abortF) 
Y = do y hotel. ((ask A fri<e.do T comrriitH) + x.do Y abortH) 

where the x actions model timeouts used to ensure progress. The travel agency in pro- 
cess X starts buying a ticket, and commits to it only when the hotel reservation session 
y is started. Similarly for process Y. 

The next example shows a peculiar use of ask whereby a participant inspects a 
stipulated contract to decide its future behaviour. 

Example 7. An online store A can choose whether to abort a transaction (abort) or to 
commit to the payment (commit). In the latter case, the buyer has two options, either he 
pays by credit card (creditCard) or by bank transfer (bankTransfer). The contract of A 
is modelled as c = abort© commit; (creditCard + bankTransfer). Consider the process 

Pa = (X)(tellA,U c. (ask A (]).do A commit. do A creditCard + do A abort)) 

where (j) = □(commit — > -lObankTransfer). The process Pa first advertises c. Once a 
session s[y] is initiated with y = A says c | B says d, A tests y through ask A -(j) before 
committing to the payment. If ask A (j) detects that B has promised not to use the bank 
transfer option, then A commits to the payment, and then never offers B to perform 
a bank transfer. Otherwise, if d does not rule out the bank transfer, even if B might 
actually pay by credit card, A aborts the session. Note that in both cases A realizes her 
own contract, even if she is never performing the bank transfer. 

4 On honesty 

In this section we set out when a participant A is honest (Def. 11). Intuitively, we con- 
sider all the possible runs of all possible systems, and require that in every session A 
is not definitely culpable. To this aim, we first provide CO2 with the counterpart of the 
(non)culpability relation introduced in Def. 4. Intuitively, we write A^ S S when, in the 
system S, if the participant A is involved in the session s, then she is not culpable w.r.t. 
the contract stipulated therein. 

Deflnition8. We write A^ S S whenever Vu,y,S'. (S = {u)(s[y} \ S') => A-y). We 
write A ^ S whenever A ^ S S for all session names s. 

A technical issue is that a participant could not get a chance to act in all the traces. 

For instance, let S = A[do s pay] | B[X] | S', where 5" enables A's action and X = f z.X; 
note that S generates the infinite trace S — > S — > S — > ■ ■ ■ in which A never pays, despite 
her honest intention. To account for this fact, we will check the honesty of a participant 
in fair traces, only, i.e. those where persistent transitions are eventually followed. 
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Definition 9. Given an LTS — >, we say that a (finite or infinite) trace r| = (P,- ^> p+i); 
having length \r\\ £ NU {°°} fair w.Kf. a set of labels L if and only if 

V/ e N,/j e L. (i < \r\\ A (V/ e N. i < j < =^ P, A) 3; > /. pj = ^ 

A fair trace is a trace which is fair w.r.t. all the labels in the LTS. 

Note that, by Def. 9, a fair trace is also a maximal one (w.r.t. L). Indeed, if a fair trace 
is finite, the condition above guarantees that its final state has no L transitions enabled. 

Finally, when checking the fairness of a trace, we shall implicitly assume that the 
labels p in our LTSs of contracts and processes always distinguish between different 
occurrences of the same prefix. E.g., a — >-fair trace of A[X \ X] where X = x.X is not 
allowed to only perform the t's of the first X. Technically, labels p always implicitly 
carry the syntactic address of the prefix which is being fired, in the spirit of the En- 
hanced Structured Operational Semantics [11]. 

In a stable trace the identity of names and variables cannot be confused by a-conversion. 
Indeed, a-conversion is only needed to make delimitations fresh when unfolding recur- 
sive processes. W.l.o.g. hereafter we shall often consider stable traces, only: in this way 
we ensure that e.g. a name s represents the same session throughout the whole trace. 

Definition 10. A stable -^-trace is a trace (uq)So — > (ui)S\ — > (w2)^2 —>•••• in which 
(1) all delimitations carry distinct names and variables, (2) delimitations have been 
brought to the top-level as much as possible (using =), and (3) no a-conversion is 
performed in the trace except when unfolding recursive processes. 

Below, we define several notions of contract faithfulness for participants. We start 
by clarifying when a participant A realizes a contract (inside a session s) within a spe- 
cific context. This happens when from any reachable system state So, participant A will 
eventually perform actions to exculpate herself (in s). In this phase, A is protected from 
interference with other participants. Then, we say A honest in a system if she realizes 
every contract in that system. When A[P] is honest independently of the system, we 
simply say that A[P] is honest. In this last case, we rule out those systems carrying stip- 
ulated or latent contracts of A outside of A[P]; otherwise the system can trivially make 
A culpable: e.g., we disallow A[P] \ B[l x A says pay \ ■■■]. 

Definition 11 (Honesty). We say that: 

- A realizes c at s in S iff whenever S = (u)(s[A says c \ B says d] | S'), S — >•* So, and 
(Sj)i is a {A says n}-fair A-solo stable —>-trace then A^ s Sjfor some j > 0; 

- A is honest in S iff for all c and s, A realizes c at s in S; 

- A[P] is honest iff for all S with no A says ■ ■ ■ nor A[- ■ ■), A is honest in A[P] \ S. 

Example 8. A computation of the store-buyer system S = A [Pa] | B[Pb] from Ex. 4 is: 

S->-*(s) (A[T.do A ok + x.do. r no] | B[do y ok] | s[A says ok© no B says ok+ no]) 
—5- (s) (A[do., rio] | B[do v ok] | s[A says ok© no | B says ok+ no]) 
(s) (A[0]|B[do v ok]|5[ Y ]) 
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where y = A says E | B says ready no. The system is then stuck, because y is not allowing 
the [Do] step. By Def. 4 we have A^y, BXy, so A is honest in S while B is not. 
Actually, B has violated the contract agreed upon, because he is waiting for a positive 
answer from the store, while in cb he also promised to accept a no. By Def. 11, B is not 
honest, while we will show in § 5 that A is honest (see Ex. 9). 

We now define when a process enables a contract transition, independently from the 
context. To do that, first we define the set RD S (P) (after "ready do"), which collects all 
the atoms with an unguarded action do s in P. 

Definition 12. For all P and all s, we define the set of atoms RD S (P) as: 

RD S (P) = {a | 3u,P',Q,R .P = (u) (do s a.P' + Q | R) ands^u] 

Next, we check when a contract "unblocks" a set of atoms X: e.g., if X accounts for at 
least one branch of an internal choice, or for all the branches of an external choice. 

Definition 13. For all sets of atoms X and for all c ^0, we say that c unblocks X iff: 

3Y eRS(c).Y C XU{e} or c = ready a.c' A aeXU{e} 

Lemma 5. For all P and for all y = A says c | B says d, if c unblocks RD S (P) and 
S = (3) (A[P] | s[y] | S'), then either A u y or S Asa >' sdo '\ 

The following theorem is the CO2 counterpart of Theorem 1 . It states that, when 
a session s is established between two participants A and B, A can always exculpate 
herself by performing (at most) two actions A says do — . Note that when the contracts 
used to establish s are compliant, then we deduce the stronger thesis A^ s Sj. 

Theorem 3 (Factual exculpation). Let (5,-),- be the following k-solo stable —>-trace, 
with S, = (uj) (A[(2(] I s[A says c, | B says dj\ \ Sj), and: 

c M) fi-2 c A says doja m A'j-2 A says dojb fij 
^0 — ► '•• > > >!>j-i > i>j — > ■■■ 

where /j/, 7^ A says do s — for all h € [i,j — 2]. Then, either cj — or A^ s Sj. 

The following theorem states the undecidability of honesty. 

Theorem 4. The problem of deciding whether a participant A[P] is dishonest is recur- 
sively enumerable, but not recursive. 

5 A criterion for honesty 

In this section we devise a sufficient criterion for honesty. Actually, checking honesty is 
a challenging task (indeed, by Th. 4, it is not even decidable), because Def. 1 1 involves 
a universal quantification over all possible contexts. We will then provide a semantics of 
contracts and processes, that focusses on the actions performed by a single participant 
A, while abstracting from those made by the context. Note that our abstract semantics 
assumes processes without top-level delimitations, in accordance with Def. 10 which 
lifts such delimitations outside participants. Further, we sometimes perform this lifting 
explicitly through the open(-) operator. 
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a; cffic' — c a.c + c' — »»c readya.c—»$c a;c©c'— a.c + c' — E 

_ „ ^ ctx ctx ctx 

(ff a, ; Cj —»t I) 2- a / • c i ~ " L a i ■ c i — *p ready a„ . c„ a ; c — rearfy a. c c — »jj c 

f open(lx A Jay^ c | P | fl) if jc = teII A lac c P^> t |. t B rays c I P if B ^ A 
K.P + Q\R\l 

\open(P | R)g otherwise P^t^Pa 

open(P) = P' where P = (iij)P' and no delimitation of P' can be brought to the top level 



Fig. 4. Abstract LTSs for contracts and processes (a : 1? — > name A in — ^ is omitted). 

Definition 14. For all participant names A, ?/ze abstract LTSs — »j arac/ — >^ on contracts 
and on processes, respectively, are defined by the rules in Fig. 4, where O : 1/ — > 

The intuition behind the abstract rules is provided by Lemma 6 and Lemma 7 below, 
which establish the soundness of the abstractions. 

Lemma 6. For all bilateral contracts y = A says c | B says d: 

A says a . . . a , , , , ctx ,, w , , A 

1. y » A says c \ B says d => c -»j c A (of — »j d V d -»j a ) 

2. y » A says c | B says d A ctxid => c -»j c A d — »jj d 

Intuitively, a move of y is caused by an action performed by one of its components c 
and d. If c moves, the A^j rules account for its continuation. This might make d commit 

ctx 

to one of the branches of a sum, as shown in the — rules. Further, c can perform an 

action not supported by d, by using a [*Fail] rule: accordingly, \-$ transforms of into 0. 
The compliance between c and c/ ensures the absence of such failure moves. 

Lemma 7. For each (finite or infinite) stable -^-trace (Si),, with Si = (ui)(A[Qi] \ S'j), 

there exists a -^^-trace Qo^^Qi^-^Qz^f where p.j = K if S, A,sa " "> S;+i, and 
Pi = ctx otherwise. Moreover, if (Sj)i is fair, then (Qi)i is {x,tell }-fair. 

In the above lemma, each step of the whole system might be due to either the process 
Qi or its context. If Qi fires a prefix Jt, then it changes according to the — N rule in Fig. 4. 
In particular, that accounts for tellA — adding further latent contracts to Qi, as well as 
fuse possibly instantiating variables. Newly exposed delimitations are removed using 
open(-): indeed, they already appear in m,-, since the trace is stable. 

We now define when a process P "((-realizes" a contract c in a session s (writ- 
ten P \= s c), without making any assumptions about its context. Intuitively, P \= s c 
holds when (1) P eventually enables the do. s actions mandated by c, and (2) in the 
abstract LTS — K, the continuation of P after firing some do s must realize the contin- 
uation of c (under — »|). Note that P is not required to actually perform the relevant 
dOi , because the context might prevent P from doing so. For instance, in the system 
A[P] | s[A says c | B says ready a.d] the process P can not fire any do s . 
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Definition 15. Given a session s and a participant A, we define the relation 
("^-realizes") between processes and contracts as the largest relation such that, when- 
ever Pq \=f c, then for each {x,tell }-fair — >^ -trace (Pi)i without labels do s — , we have: 

1. 3k.\fi>k.c unblocks RD s {Pi) 

2. V/,a,P',c'. Ac\c> =^ P' \=* c') 

Example 9. Recall the online store A from Ex. 4. We show that X{ s /x} |= s ca- First note 
that transitions in {t, tel I }-fair — K-traces without do s fromX{y.x} can only be labelled 
with ctx. Thus, each process P, on such traces has the form X{ s /x} \ Kj, for some K{. We 
havefiD. s (P,) = RD s (X{*/x}) = {addToCart,creditCard}. Moreover, c A unblocks RD s (X{>/x}) 
hence condition (1) of Def. 15 holds. For condition (2), if ca credltCard » ^ c > — accept© 
reject and p. °» cre 1 a > pi _ x.do s accept + T.do. v reject | K, then P' \= s c'. Actually, 
all processes on a {t, tel I }-fair — ^-traces without do. s from P' have either the form 

do s accept | K or the form do s reject | K. For the recursive case, ca addToCart » j Ca anc [ 

Pi d ° jaddT ° Cart ) j|X{y.t}, hence X{ s /x] \= s c/\ by coinduction. Note that the case ca A>| 
did not apply, because P, cannot take ^j-transitions labelled do s e. 

Theorem 5 below establishes an invariant of system transitions. If a participant 
A[2o] tt -realizes a stipulated contract cq, then in each evolution of the system the descen- 
dant of A [go] still jj -realizes the related descendant of cq. The theorem only assumes that 
co is in a session with a compliant contract, as it is the case after firing a fuse. 

Theorem 5. Let (S 1 ,-),- be a stable -^r-trace with Sj = (m,)(A[(2(] | s[A says Cj | B says dj] 
S'j) for all i. Ifco txi do and Qq f=^ co, then Qi cifor all i. 

We now define when a participant is ^-honest. Intuitively, we classify as such a 
participant A[P] when, for all prefixes tell 4-* c contained in P, the continuation Q of the 
prefix (J-realizes c. We also require that the session variable x cannot be used by any 
process in parallel with Q, because such processes could potentially compromise the 
ability of Q to realise c (see Ex. 10). 

Definition 16 (JJ-honest participant). A participant A[P] is fl-honest iffP does not con- 
tain X y A says c, and for all linear contexts £?(•), x, c, Q, R, and s fresh in P 

P= C(te\\i x c.Q+R) => open{Q{s/x})^ c A Cisx-safe 

where C{*) is x-safe iff3C'- C{*) = C'((x)») or C is free from do A — . 

Example 10. Substitute Q = f use A .do A creditCard for f use A in the process Pa from Ex. 4. 
Then A[Pa] is not honest, because A cannot complete her contract if the do A within Q 
is performed. However, the modified A[Pa] violates x-safety, hence it is not j}-honest. 

The following lemma relates ((-honesty with the abstract semantics of processes. 
If a (J-honest process P abstractly fires a tell ^ x c, then the continuation of P realises c 
(item 1). Also, ((-honesty is preserved under abstract transitions (item 2). 
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Lemma 8. For all ^-honest participants A[P], such that P = open(P): 

1. ifP te " BlxC > $P', then P'{s/x} \=* c, for all s fresh in P. 

2. ifP^P', then A[P'] is ^-honest. 

Our main result states that jj-honesty suffices to ensure honesty. Note that while 
honesty, by Def. 11, considers all the (infinite) possible contexts, jj-honesty does not. 
Hence, while verifying honesty can be unfeasible in the general case, it can also be 
ensured by establishing jj-honesty, which is more amenable to verification. For instance, 
for finite control processes [10] it is possible to decide ([-honesty e.g. through model- 
checking. In fact, in these processes parallel composition cannot appear under recursion, 
hence their behaviour can be represented with finitely many states. 

Theorem 6. All ^-honest participants are honest. 

Noteworthily, by Theorem 6 we can establish that all the participants named A in 
Examples 4, 5, and 6 are honest. This is obtained by reasoning as in Example 9. Instead, 
participant A in Example 7 is honest but not jj-honest. 

6 Related Work and Conclusions 

We have developed a formal model for reasoning about contract-oriented systems. Our 
approach departs from the common principle that contracts are always respected after 
they are agreed upon. We represent instead the more realistic situation where promises 
are not always kept. The process calculus CO2 [2] allows participants to advertise con- 
tracts, to establish sessions with other participants with compliant contracts, and to ful- 
fill them (or choose not to). Remarkably, instead of defining an ad-hoc contract model, 
we have embedded the contract theory of [9] within CO2 . To do that, we have slightly 
adapted the contracts of [9] in order to define culpability, and we have specialized CO2 
accordingly at the system-level. The main technical contribution of this paper is a crite- 
rion for deciding when a participant always respects the advertised contracts in all pos- 
sible contexts. This is not a trivial task, especially when multiple sessions are needed 
for realizing a contract (see e.g. Ex. 5 and 6) or when participants want to inspect the 
state of a contract to decide how to proceed next (see e.g. Ex. 7). 

At the best of our knowledge, this is the first paper that addresses the problem 
of establishing when a participant is honest in a contract-based system populated by 
dishonest participants. Several papers investigated the use of contracts in concurrent 
systems; however, they typically focus on coupling processes which statically guarantee 
conformance to their contracts. This is achieved e.g. by typing [4,8,9], by contract- 
based process synthesis [6], or by approaches based on behavioural preorders [5]. 

The process calculus CO2 has been introduced in [2] as a generic framework for 
relating different contract models; the variant in this paper has been obtained by in- 
stantiating it with the contracts of [9]. Some primitives, e.g. multiparty fuse, have been 
consequently simplified. In [2], a participant A is honest when A becomes not culpable 
from a certain execution step; here, we only require that, whenever A is culpable, then 
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she can exculpate herself by performing some actions. This change reflects the fact that 
bilateral contracts a la [9] can describe endless interactions. The notion of compliance 
in [9] is asymmetric. Namely, if c is the client contract and d is the server contract, then 
c and d are compliant if c always reaches a success state or engages d in an endless 
interaction. In our model instead compliance is symmetric: the server contract, too, has 
to agree on when a state is successful. The LTS semantics of unilateral contracts in [9] 
yields identical synchronization trees for internal and external choice; to differentiate 
them, one has to consider their ready sets. We instead give semantics to bilateral con- 
tracts, and distinguish between choices at the LTS level. Note that we do not allow for 
unguarded sums, unlike [9]. Were these be allowed, we would have to deal e.g. with 
a participant A with a contract of the form a; cq © (b .c\ + c .C2). According to our in- 
tuition A should be culpable, because of the internal choice. If A legitimately chooses 
not to perform a, to exculpate herself she would have to wait for the other participant to 
choose (internally) between b and c. Therefore, A can exculpate herself only if the other 
participant permits her to. By contrast, by restricting to guarded sums our theory enjoys 
the nice feature that a culpable participant can always exculpate herself by performing 
some actions, which pass the buck to the other participant (Theorems 1 and 3). 

Design-by-contract is transferred in [4] to distributed interactions modelled as (mul- 
tiparty) asserted global types. The projection of asserted global types on local ones al- 
lows for the automatic generation of monitors whereby incoming messages are checked 
against the local contract. Such monitors have a "local" view of the computation, i.e. 
they can detect a violation but cannot, in general, single out the culpable component. In 
fact, a monitor cannot know if an expected message is not delivered because the partner 
is violating his contract, or because he is blocked on interactions with other participants. 
Conversely, our notion of honesty singles out culpable components during the computa- 
tion. An interesting problem would be to investigate how our notion of culpability could 
be attained within the approach in [4]. In fact, this seems to be a non trivial problem, 
even if forbidding communication channels shared among more than two participants. 

Contracts are rendered in [7, 6] as soft constraints (values in a c-semiring) that al- 
low for different levels of agreement between contracts. When matching a client with 
a service, the constraints are composed. This restricts the possible interactions to those 
acceptable (if any) to both parties. A technique is proposed in [6] for compiling clients 
and services so that, after matching, both actually behave according to the mutually 
acceptable interactions, and reach success without getting stuck. Our framework is fo- 
cused instead on blaming participants, and on checking when a participant is honest, 
i.e. always able to avoid blame in all possible contexts. The use of soft constraints in a 
context where participants can be dishonest seems viable, e.g. by instantiating the ab- 
stract contract model of COi with the contracts in [6]. A challenging task would be that 
of defining culpability in such setting. 
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A Proofs for Section 2 



The following lemma ensures that transition steps preserve the invariant required in 
Definition 1, i.e. that only one ready can occur in a bilateral contract. 

Lemma Al For all y ify — » A says ready a.c | B says d, then d is ready -free. 

Proof. By Definition 2, a ready can only occur at top-level of a contract. By Defi- 
nition 1, only one ready can occur in y. The thesis then follows by straightforward 
analysis of the rules in Figure 1 . □ 

The following lemma states that bilateral contracts evolve deterministically under 
the actions performed by participants. This agrees with the intuition that, in a contract 
involving the participants A and B (and no other third parties) the duties of A and B 
only depend on the choices performed by A and B, and not on some external entity. 
Notice that, when A and B advertise two internal choices and evolve through [IntInt], 
determinism is ensured by the fact that one of the choices is a singleton. Otherwise, A 
and B could either succeed by internally choosing the same action, or fail by choosing 
different ones. Let e.g. y = A says a; c\ © b; C2 | B says a; d\ © b; di. Were [IntInt] 
allowing y to evolve to A says c\ | B says d\ with label A says a, then we would lose 
determinism, since rule [IntIntFail] allows y to also evolve to A says c\ | B says 0. 
Note however that determinism would still hold for compliant contracts. 

Lemma 1. A bilateral contract A says c | B says d is stuck iff c = d = 0. 

Proof. Let y = A says c | B says d. 

For the "only if" part, if c = d = then no rules in Definition 2 can be applied. 
Therefore, y is stuck. 

For the "if" part, assume by contradiction that c ^ (the case d ^ is symmetric, 
so we omit it). We have the following exhaustive cases: 

- if c = a, ■ ; cu then then y can take a transition through one of the rules [IntExt], 
[IntInt], [IntExtFail], [IntIntFail]. 

- if c = £ a, . Cj, then then y can take a transition through one of the rules [IntExt], 
[ExtExt], [IntExtFail], [ExtExtFail] . 

- if c = ready a.c', then y can take a transition through rule [Rdy] 

In each case, we have proved that y can take a transition; therefore, y is not stuck. □ 
Lemma A2 For all contracts c, RS(c) ^ 0. 

Proof. Straightforward case analysis of Def. 3. □ 
Lemma 2. For all y ify A» y 1 and y A>- y", then y" = y" . 

Proof. Let y = A says c | B says d, and w.l.o.g. assume that fu = A says a. According to 
the structure of c and d, and to the rules in Figures 1 and 1, each rule is able to generate 
at most one /j transition for y. It is therefore enough to consider the set of applicable 
rules. We have the following exhaustive, non-overlapping cases: 
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1. c internal sum, d external sum ==> rules [IntExt], [IntExtFail] 

2. c internal sum, d internal sum =>• rules [IntInt], [IntIntFail] 

3. c external sum, d internal sum =>■ symmetric of rules [IntExt], [IntExtFail] 

4. c external sum, d external sum =>■ rules [ExtExt], [ExtExtFail] 

5. c is a ready =>■ rule [Rdy]. 

Note that we are not considering the case where d is a reatfy and c is not, because in such 
case A cannot perform any action. We now show that, for all x G {IntExt,IntInt,ExtExt}, 
the rules [x] and [xFail] are mutually exclusive. We have three cases: 

- [IntExt] . Let c = 0, G/ a; ; a, and let d = Y,jej bj ■ dj (symmetric case is similar). If 
rule [IntExt] can be applied, then 3i G /, J G /. a = a,- and bj = a, which makes false 
the precondition of [IntExtFail]. Conversely, if [IntExtFail] can be applied, then 
a ^ co({bj}jej), and so [IntExt] cannot be applied. 

- [IntInt]. Let c = ©, G/ a,-; c\, and let d = ©, € /b/; dj. If rule [IntInt] can applied, 
then 3i G /. a = a,- and d = a ; d' for some d', which makes false the precondition of 
[IntIntFail]. Conversely, if [IntIntFail] can be applied, then co({bj}j E j) ^ {a}, 
which prevents from using the rule [IntInt]. 

- [ExtExt] . Let c = Y,iei a ; ■ C U an d let d = Y,jeJ ■ dj. If rule [ExtExt] can applied, 
then 3i G I,j G /. a = a, and b 7 - = a, and so the the precondition of [ExtExtFail] 
is false. Conversely, if the precondition of [ExtExtFail] is true, then there exist no 
i,j such that a, = bj, and so [ExtExt] cannot be applied. □ 

Lemma A3 For all contracts c,d, if ctxid then c^O and d ^ 0. 

Proof. By contradiction, assume w.l.o.g. that d — 0. By Def. 3, RS(d) = {%}. Therefore, 
by condition (1) of Def. 3, for all 'y £ RS(c) it must be ready G y. By Lemma A2, 
RS(c) ^ 0, and so by Def. 3 and by the fact that ready can only occur at top-level in a 
contract, it must be c = ready a.c', for some ready -free c'. By the rule [Rdy] in Fig. 1, it 

follows that A says c | B says A — a » A says d \ B says 0. By condition (2) in Def. 3, 
it should be d M 0. The whole argument used above can be replayed to deduce that d 
must be of the form ready a.c" — contradiction, because d is without ready . □ 



Lemma 3. For all bilateral contracts y — A says c \ B says d: 

ctxid (\/d,d'. y— »* A says d | B says d' => c ^ and d' / 0) 

Proof. For the "only if" part, assume that c XI d. Assume that y — »" A says d | B says d'. 
We proceed by induction on n. For the base case n = 0, by Lemma A3 it follows that 
c 7^ and d ^ 0. For the inductive case, let y — » A says c" | B says d" . By the condition 
(2) of Def. 3, c" ixi d", and so by the induction hypothesis we conclude. 

For the "if" part, assume that all the descendants of y = A says c \ B says d have 
non-0 contracts. Let %_ be the following relation on contracts: 

d%d' iff y -»* A says c \ B says d' 

We will prove that satisfies both the conditions (1) and (2) of Def. 3. Since ixi is 
the largest relation satisfying these conditions, we shall then conclude that c ixi d. The 
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condition (2) holds by construction. For the condition (1), let c'%d' ', and assume by 
contradiction that: 



3XeRS(c'), yeRS(d'). co{X) n <y = and ready (XUf) \ (Xfiy) (1) 

We now proceed by cases on the syntax of c' and d'. Note that ready may occur at most 
once in A says c' | B says d' because of the syntactic restriction on bilateral contracts 
(which is preserved by transitions, as stated by Lemma Al). Hence ready £ Xiiy, 
which with (1) actually implies ready x U y, proving that ready does not occur at 
all in c' nor in d' . Then, there are the following exhaustive cases (symmetric cases are 
omitted): 

- if c' = ©a,-; c'j and d' = E i€ /bj.d-, then by Def. 3 and (1) there exist X = {a,} with 

a,- ^ co({bj | j £ /}). Then, by the rule [IntExtFail], it follows that y Asaysa, y> 
A says E | B says — contradiction. 

- if c' = © a,- ; c\ and a" = © jeJ b, ; d[, then by Def. 3 and (1) there exist X = {a,} 
and y = {bj} such that a; ^ bj. Hence {a,} ^ co({bj \ j e /}). Then, by the rule 
[IntIntFail], it follows that y Asa y sa 'y > ^ sa y S £ | g sa y S q — contradiction. 

- ifc / =I, e/ a,-.c;andrf' = I ;G/ b 7 -.^,thenbyDef.3and(l),co({a 1 - | ;'e/})n{b 7 - 

j eJ} = 0. Then, by the rule [ExtExtFail], it follows that y — — — A says E \ 
B says — contradiction. □ 

Definition Al (Dual contract) For all ready -free contracts c, let the contract dual{c) 
be inductively defined as follows: 

dual(Q^&i \ ci) = 52 a,- .dual(ci) dual(recX. c) = recX. dualic) 

iei iei 

dual(^ai .Ci) = £^a,-; dual(ci) dual(X) =X 

iei iei 

Lemma A4 For all 0-free and ready-free c, c x dual(c). 

Proof. We will prove the following three properties, which hold for all O-free and 
ready -free contracts c: 

A says c \ B says dual{c) — w A says c \ B says d' (2a) 
==> 3a,/ without : c' =f and d' = ready a.dual(f) 
or c = ready a.dual(f) and d' = f 
A says c | B says ready a.dualic) — » y 1 ==>■ y 1 = A says c \ B says dualic) (2b) 
A says ready a.c | B says dual(c) — » y 1 ==>■ y 1 = A says c \ B says dualic) (2c) 

For (2a), by Def. Al we have that c is an internal sum and dual(c) is an external 
sum, or vice versa. W.l.o.g. assume that c = © lG/ a, ■; c,- (the case of an external sum 
is similar). Note that the [IntExtFail] cannot be applied, since its precondition 3/ G 
I.Vj € /. a,- ^ a) is false. Therefore, the only applicable rule is [IntExt], which gives 
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the desired conclusion. Properties (2b) and (2c) hold trivially by Def. 2. Note that, under 
their hypotheses, the only applicable rule is [Rdy]. 

Taken together, (2a), (2b) and (2c) guarantee that, if y = A says c | B says dual(c) — > 
— >* A says c' | B says d' , then c' ^A and d' ^ 0. By Lemma 3, this enables us to conclude 
that c x dual (c) . □ 

Lemma 4. For all 0-free contracts c, there exists d such that ctxid. 

Proof. If c is ready -free, then the thesis immediately follows from Lemma A4, by 
choosing d = dual(c). If c = ready a.c', then by Definition 1 c' must be ready -free. 
Therefore, by Lemma A4 c' X dual(c'). Let d = dual(c'). The item (1) of Definition 3 
holds, because RS(c) = {{ready}}. The item (2) also holds, because there exists a 
unique transition from A says c | B says d, leading to A says c' | B says d, by the rule 
[Rdy], and we have that c'wd. □ 

Lemma A5 For all contracts c,d, if c x d then: 

d = J^a,- .di A I C J A Vi € /. c,- x di (3a) 
ieJ 

d = aj-,dj A I = {;'} A c, x dj 
d = ready b.d' A c X d' 

d = 0a,;rfi A J CI A Vz £ /. c ; x a",- (3b) 

d = YjM-di A A V; G/ny. c/Xrf,- 

ie/ 

<i = ready b.d' A c x of' 



V 
V 



iei 



V 
V 



c = ready a.c' =>■ c x d (3c) 

Proof. For (3c), assume that c = reac/y a.c'. By rule [Rdy], A says c \ B says d A a )) 
A says c' | B says d. Since c x c/, by item (2) of Def. 3 it must be the case that c' x d. 
For (3a), let c = lG/ a, ; c,. We have three subcases, according to the form of d. 

- d = L, e yb; .di. We start by proving that {b,}, e y D co({a,} lG /). Let a 6 {a,}/ 6 /. By 
Def. 3, we have that {a} £ RS(c). Since c x <i and c,d are reaay -free, by Def. 3 
we have that {a} Dcoif) ^ for all J £ RS{d). By Def. 3, RS(d) = {b,}, G y. 
Therefore, there exists i £ / such that b, = a. 

We now prove that c, x di, for all / £ /. Let j £ /. By rule [IntExt], we have that 

A says aj 

A says c | B says d '■ » A says cj \ B says ready a.j.dj. By item (2) of Def. 3 it 

follows that cj x ready aj.dj. Therefore, by (3c) we conclude that cj x dj. 

- d = © /G yb;; dj. We start by proving that |/| = \J\ = 1. If this were not the case, 
then we could apply rule [IntIntFail], and so by Lemma 3 we would have the 
contradiction c 1^3 d. Therefore, let / = / = {j}. By rule [IntInt] we have that 

A says aj 

A says c | B says d '■ » A says cj \ B says ready a.j-dj. By item (2) of Def. 3 it 

follows that Cj x ready aj.dj. Therefore, by (3c) we conclude that cj txsdj. 
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- d = ready b.d'. By (3c) we conclude that c cxi d! . 



For (3b), let c = Y*iei a i- C i- We have three subcases, according to the form of d. 

- d = lG / b, ; d[. This case has been already dealt with when proving (3a) in the case 
where d is an external sum. 

- d = ^jg/bj -d,-. We start by proving that {b,}, e y nco({a,}, e /) ^ 0. If this were not 
the case, then we could apply rule [ExtExtFail], and so by Lemma 3 we would 
have the contradiction c t/h d. We now prove that c, IX di, for all i G I (~l /. Let 

A says aj 

j G ID J. By rule [ExtExt], we have that A says c \ B says d : — -» A says cj 

B says ready aj.dj. By item (2) of Def. 3 it follows that cj ix ready aj.dj. Therefore, 
by (3c) we conclude that Cj DX dj. 

- d = ready b.d'. By (3c) we conclude that c CO d' . □ 

Lemma A6 Forally, AXy, if and only if y has one of the following forms: 

A says | B says d [©Nil] 

A says ready a. c | B says d with a/e [©Rdy] 

A says ^^at; Cj \ B says d with V ; G /. a/ 7^ e and d ready -free [©Int] 



Proof. For (<J=), the proof is by straightforward case analysis, using the rules for — ». 

- if y has the form [©Nil], then Ax yfollows directly by Def. 4; 

- if yhas the form [©Rdy], then by the rule [Rdy] yean take a transition labelled 
A says a, with a ^ e; no other transitions are possible. 

- if y has the form [©Int], assume that 7^0 (case already dealt with). Then, one of 
the rules [IntExt], [IntExtFail], [IntInt], [IntIntFail], allow y to take a transi- 
tion labelled A says a,, with a, ^ e. 

- if y has the form [©Ext], assume that 7^0 (case already dealt with). There are two 
subcases. If e ^ {a, } lG /, then one of the rules [ExtExt] or [ExtExtFail] allow y to 
take a transition labelled A says a,, but no transition labelled A says e. If e G {a,-}^/, 
e {bj}jej, and ({a,}, G / fl co({b ; } ;G y)) ^ 0, then no transitions labelled A says e 
are possible, but there exists a transition labelled A says a,. 

For (=>), assume that y has none of the forms reported in the statement. We will 
prove that A ^ y. We proceed by cases on the form of y. 

- A says ready e.c' | B says d. By rule [Rdy], there is a transition labelled A says e. 

- A says c \ B says d, with c = © ;g/ a,- ; c,-, and d = ready b.d' or 3i £ /. a/ = e. 

• If d = ready b.d', then the only possible transition, obtained by the rule [Rdy], 
is labelled B says b. 

• If 3i G I. a, = e, then a transition labelled A says e is possible by using one of 
the rules [IntExt], [IntExtFail], [IntInt], [IntIntFail]. 




a; . Cj I B says V b; . dj with 



e g" {aj}j G/ , or 

e^({ai} ie inco({bj}jej))^<D 



[©Ext] 
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- A says c | B says d, with c = a ; ■ c i we have the following subcases: 

• if d = ready b.d ! ord — by ; dj, with 7^0, then y cannot take A-transitions. 

• if d = £b,-.dj and e £ {a,}, G /, we have two subcases. If e £ {bj}j e j, then 
[ExtExt] allows for a transition labelled A says e. If ({a,}, G /nco({b 7 } j e j)) = 
0, a transition with the same label is obtained by [ExtExtFail]. □ 

Theorem 1. For all y = A says c | B says d with 0-free c, there exists y 1 and A-solo r\ 
with |r| I < 2 such that y\y l and A^y 1 . 

Proof. We first consider the case that c is ready -free, where we have the following three 
exhaustive subcases: 

_ y A '"°' sa » 5, for some a, and the transition has been possible through one of the 
rules [IntExt], [IntInt], or [ExtExt] in Figure 1. Then, the contract advertised 
by B in 8 will have the form ready a.d 1 , for some d' ', while the contract of A is 
ready -free. By Lemma A6 we have that A ^8 (since c is 0-free). Therefore, the 
thesis follows by choosing Y = 8 and r| = (A says a). 

_ y A '"'" a » 8, for some a, and the transition has been possible through one of the 
rules [-Fail] in Figure 1 . Then, 8 = A says E | B says 0, and by Definition 4 we 
have that A^ 8. The thesis follows by choosing Y = 8 and r| = (A says a). 

- y cannot take a transition under an action of A. 

By Definition 4 we have that A ^ y. Therefore, the thesis follows with Y = Y ( ar, d 
empty r|). 

We now consider the case c = ready a.c', for some a and c'. By rule [Rdy] y has a 
transition to A says c' \ B says d labelled A says a. Since d is reaofy-free and 0-free, we 
then apply one of the three cases above (which guarantee |r|| < 1) and conclude. □ 

. A says a A says b . , _, , „ 

Lemma A7 Let yo ■ — » yi ■ — » y> = A says cj_ \ B says d%. Then, C2 = or 

A-y 2 . 

Proof. We first prove that, for all y: 

y ready -free A y — ^ » y 1 = A says c \ B says d' =$> c'=0 V A^f (4) 
Let y = A says c \ B says d. We have the following two subcases: 

- y — — — » Y has been derived through one of the rules in Figure 1 (except [Rdy]). 
Then, d' will have the form ready a.d, for some d, while c' is ready -free. Then, 
either c' = 0, or by Lemma A6 we have that A ^ y 1 . 

- y A — — » Y has been derived through one of the rules in Figure 1 . Then, y 1 = 
A says E \ B says 0, and by Definition 4 we have that A^-y 1 . 

Back to the main statement, let y, = A says Cj \ B says di, for i £ {0, 1,2}. After the 
first transition, we have that c\ ^ 0, because otherwise the transition to y 2 would not be 
possible. Also, c\ is ready-free, because a transition labelled A says a cannot generate a 

ready in A. Therefore, by the hypothesis yi A "'" b » y 2 and by (4) it follows that either 
c2 = 0orA^y>. □ 



22 



Theorem 2. For all c,d if c ix d and A says c | B says d — »* y = A says d | B says d' , 
then either c' and d' succeed, or A^y, orBXy. 

Proof. Assume that A ^ y and B ^ y. According to Lemma A6, y must have one of the 
following forms (symmetric cases are omitted): 

- A says c' | B says ready e.E. In this case, y has been obtained through a transition 
step labelled A says e. By Definition 2 and by the syntactic restriction on the con- 
tinuations of e, this implies c' = E. By Definition 1, c' = E = e; X{e/x} = e; E 
succeeds, as well as d' = ready e.E. 

- c' = e ; E © ci and d' = e ; E © d\ . By Definition 1 , both c' and d' succeed. 

- c' = e ; E © c\ and d' = Y,iei ■ di- Since d ixi of' and {e} G RS(d), then there exists 
j G 7 such that by = e = e. By Definition 1, both d and d' succeed. 

- d = Y,i a; . Ci and d' = £y b; . dj, with e G {a,}, n {b/}y. By Definition 1, both d and 
of' succeed. 

- d = Yd a,- . Ci and c/' = £y b, . with e {a, },- U {b/} 7 -, and {a, }; n co({b, } 7 ) = 0. 
The latter condition violates requirement (1) of Definition 3, so it is false that d tx 
d' — contradiction. □ 



B Proofs for Section 4 

Lemma 5. For all P and for all y = A says c | B says d, if c unblocks RD S (P) and 
S = (u)(A[P] I s[y] | S'), then either A^y or S A "'- rado ' a > . 

Proof. Let X = RD S (P), and assume that A^y. We have the following cases on the 
structure of c: 

- c = 0. This case never applies, because by Def. 13, unblocks y is false for all 'y. 

- c = ready a.d . Since A X y, by Def. 4 it must be a 7^ e. Since c unblocks X, then by 

Def. 13 a G X. So, by Def. 12 there exists an unguarded do s a in P. Since y A — a » 

^ A.v«vido T a 

by [Rdy], then by the rules [Do] and [Par], S ■ — h 

- c = lG/ a,-; Cj. Since Axy, by Lemma A6 it must be a, ^ e for all i G I. Since 
c unblocks X, then by Def. 13 there exists ; G / such that a,- G X. So, by Def. 12 
there exists an unguarded do. s a, in P. Note that d is ready -free, since otherwise 
it would be A^y Therefore, y Asaysa 'y > by either [IntExt] or [IntExtFail], and 

„ A jays do* a; , 

then S — -A- by [Do] and [Par]. 

A says Stj 

- c = Y<iei a i- C i- Since A^y and 7^0, choose j G I such that y ». Since 

c unblocks X and a 7 7^ e, then by Def. 13, &j G X. So, by Def. 12 there exists an 

A says do^ a,- 

unguarded do s a ; in P. Then by the rules [Do] and [Par], S '■ >. □ 

Theorem 3 (Factual exculpation). Let (S,); be the following A-solo stable -^-trace, 
with Sj = (Uj) [A[Qj] I s[A says Cj | B says di] | and: 

c M> A-2 > „ Asaysdo s a w A'j-2 A wnw:o.o ty* 

^0 — > ' ' ' > \-l > &i — > ••■ > — > ■■■ 

where fjhj^^ says do s —for all h G [i,j — 2]. Then, either Cj = or A^ s Sj. 
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Proof. Straightforward by Lemma A7, by noting that the steps from /j, to fij-i do not 
change the contract in s, while the steps and correspond to — ^-transitions 
labelled A says a and A says b, respectively. □ 

We now prove that honesty is undecidable. To do that, we show that the comple- 
ment problem, i.e. deciding if a participant is dishonest, is not recursive (actually, it 
is recursively enumerable, from which it follows that honesty is neither recursive nor 
recursively enumerable). 

Theorem 4. The problem of deciding whether a participant A[P] is dishonest is recur- 
sively enumerable, but not recursive. 

Proof. We start by proving that "A[P] dishonest" is a r.e. property. By Def. 11, A[P] is 
not honest iff there exists a context S (free from latent/stipulated contracts of A) such 
that A is not honest in A[P] | S. The latter holds when there exist a contract c and a 
session s such that A does not realize c at s in A[P] | S. Summing up, A[P] is dishonest 
iff the following conditions hold for some S,Sq,s: 

1. S free from A says ■ ■ ■ and from A[- ■ ■] 

2. A[P] \S->*S 

3. there is an A-solo {A says 7t}-fair trace So Si — >• ••■ where Ax s Sj for all j > 0. 

Recall that p(x,y) r.e. implies that q(y) = 3x.p(x,y) is r.e., provided that x ranges 
over an effectively enumerable set (e.g., systems S, or sessions s). Thus, to prove the 
above existentially-quantified property r.e. it suffices to prove that 1), 2), 3) are r.e.. 
Property 1 is trivially recursive. Property 2 is r.e. since one can enumerate all the pos- 
sible finite traces. Property 3 is shown below to be recursive, by reducing it to the 
satisfiability of a LTL formula on Petri Nets. 

Deciding property 3 amounts to deciding the satisfiability of the LTL property 
□ (Ax ) on the (fair) LTS generated from Sq. Note that Ax is a decidable property, 
and we need to consider the A-solo fair traces, only. The fairness requirement can be 
moved from the LTS into the formula itself: indeed, the satisfiability of □ ( A x ) on the 
fair traces is equivalent to the satisfiability of fair A n(Ax s ) on all the traces, where fair 
encodes the fairness requirement in LTL. In order to check the latter, first note that re- 
stricting to A-solo traces allows us to neglect all the interactions with the context. Also, 
participant A can only interact with a finite, statically bounded number of sessions: she 
needs to consume a latent contract from another participant to spawn a fresh session, 
and those must be present in So- Because of this, without loss of generality, it is possible 
to assume that the continuation of each COi prefix is a defined process Xj(u) where i 
ranges over a finite, statically known set. Further, u can only be instantiated in a finite 
number of ways, since there are only so many sessions. This makes the process Q in 
A[Q] equivalent to a parallel composition of such Xj( - ■ ■ ), each one possibly occurring 
zero, one or more times. Therefore, the systems A[Q] can be equivalently represented 
as a Petri net, where places are Xj and tokens account for their multiplicity (tell actions 
of A to advertise contracts to the context are immaterial, since they cannot be fused in 
an A-solo trace). The outer context of A[Q] in system So is a finite-state system. Indeed, 
sessions appear in a statically bounded number, and each one of them has a finite-state 
contract; further, participants other than A can not move In an A-solo trace). 
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To conclude, property 3 reduces to the problem of model checking LTL over Petri 
nets, which is decidable [13]. 

We now prove that the property "A[P] is dishonest" is undecidable. To do that, we 
reduce the halting problem on Turing machines to the problem of checking dishonesty. 
We model a configuration of a generic Turing machine M as a finite sequence 

xqxi X2 ...(x n ,q)...x k 

where 

1 . x, represents the symbol written at the ;-th cell of the tape, 

2. the single occurrence of the pair (x„,q) denotes that the head of M is over cell n, 
and M is in state q, 

3. the tape implicitly contains "blank" symbols at cells after position k. 

Without loss of generality, assume that M halts only when its head is over xq and M is 
in a halting state q Ao -g- Note that each symbol x\ can be finitely represented, because the 
alphabet is finite. States q can be finitely represented as well. 

Given a deterministic, 1-tape Turing Machine M, we devise an effective procedure 
to construct a participant which is dishonest if and only if M halts on the empty tape. 
The system has the form 

A[(x)tell B | x c.do A a.P] (5) 

where the choice of names for participant B and atom a is immaterial, c = rec X. a,X, 
and P is given below. Note that we will not construct a participant A which simulates 
M by herself; rather, in order to simulate M, A will require some cooperation from 
the context. So, we guarantee two different properties according to whether the context 
cooperates: 

- if B does not cooperate, A will stop simulating M, but will still behave honestly in 
all the open sessions; 

- if B cooperates, A will run M, and behave honestly while doing that; only when M 
is found to halt, A will instead behave dishonestly. 

In other words, if M does not halt, A is honest in all contexts (and therefore honest); if 
M halts, A is not honest in at least one (cooperating) context (and therefore dishonest). 

We now define the process P in the system (5) (hereafter, we denote with s the 
session name instantiated for x). Such process is defined so that whenever M halts, A 
will be dishonest at s and A will be otherwise honest at all her sessions (including s). 
Note that if the latent contract ], x c in (5) is never fused by B, then A is honest. 

By the finiteness conditions on M, we can represent the information relative to a 
single cell through a finite contract family d xx[ in which x ranges over the alphabet, 
and q over the states (plus one extra element, representing the fact that the head is 
elsewhere). More precisely, d xq is defined as 

d x , q = rea6 Xjq ;d Xiq © writeSymboly ; d x i q © (J^ writeState^ ; d x q i 
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where read x . t/ , writeSymbol Y , writeState^ are atoms. Note in passing that mutual recur- 
sion can be reduced to single recursion via the rec construct (up to some unfolding, 
Bekic's Theorem). 

Process P in (5) uses the above contracts in separate sessions, one for each tape cell. 
Informally, P is built so to generate 

Begin(so,si) \ X(so,si,S2) \X(si,S2,S3) I ■■■ | End(s„-i,s„) 

where so, . . . ,s n are distinct sessions. Processes Begin, X, and End are constructed so to 
behave as follows: 

- Begin(so,s\) handles the leftmost cell of the tape. It behaves as (defined be- 
low), but also keeps on performing do. s a, hence realizing the first stipulated contract 
c. Process Begin(so,s\ ) also waits for the head of M to reach the leftmost cell and 
M to be in the halting state g sto p. When this is detected, it stops performing do s a, 
hence making A become dishonest (at session s). 

- Processes are responsible for handling the i-th cell. Each such process 
reads the cell by performing J^do^ read xq .Handle xq . Whenever the head is not 
on the i-th cell, it keeps on performing reads (so that A does not become culpable 
at session s,). If the head is on the /-th, the symbol is updated according to the 
transition rules, and then the head is possibly moved. Moving the head requires 
performing a do, . writeState where j is either i — 1 or i + 1 . 

- Process End(s n -\,s n ) waits for the head to reach the n-th cell. When this happens, 
it creates a new session s„ + i (by issuing a tells of a frozen, which may be possibly 
fused by B -otherwise A remains honest in all sessions), spawns a new process 
X (s n -i, s n ,s n +i), and then recurse as End(s„,s„+i). 

A crucial property is that it is possible to craft the above processes so that in no cir- 
cumstances (including hostile contexts) they make A dishonest at sessions s,-; the only 
session where A could eventually become culpable is s. For example, is built 

so it never stops performing reads at session s,. This property is achieved by encoding 
each potentially blocking operation do Sk b. P' as Q = do Sl b.P' + Y*x,q d°s, read^.Q. In- 
deed, in this way, reads on s, are continuously performed, unless the context suddenly 
stops cooperating in that session: in this case, the context is culpable in s,, but A is 
not. Also, in this case the computation of M may get stuck, but A would still be honest 
in every session, as intended. A could also get stuck she is waiting to write at session 
Sj+i. While performing the write action, care must be taken so to not forget to keep on 
reading on Sf, preserving honesty at s,-. When that is done, even if the other participant 
involved at session s,-+i is making such session stuck, A keeps moving at Sj. Similarly, 
the End process is built so to keep on reading from s„ when waiting for a new session 
s n+ \ to be opened. In the case the context does not provide a compliant latent contract 
and the session can not be spawned, this may stop the computation of M, but A will still 
be honest in all the opened sessions s,\ 

To conclude, given a Turing Machine M we have constructed a CO2 participant A [P] 
such that (/) if M does not halt, then A[P] is honest, while (ii) if M halts, then A[P] is 
not honest in some (cooperating) context. Note that a context which cooperates with 
A[P] always exists: e.g., the system that first tells the duals of all the contracts possibly 
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advertised by A (a finite number), fuses them, and then (recursively) performs all the 
promised actions. □ 



C Proofs for Section 5 

Lemma 6. For all bilateral contracts y = A says c | B says d: 

A says a , . , a , , , , ctx ,, . , , 

1. y w A says c \ B says d ==> c — »j c A (c/ — »tj d V d — »j a ) 

A.vaj.va . , | _ , a , , , ctx ,, 

2. y » A says c | B says d A ctx\d ==> c — »j c A d — »j d 

Proof. The first item is straightforward by case analysis on the rules in Def. 2 and 
Def. 14. The second item is similar, by also exploiting the fact that, since c xi d, 

Lemma 3 prevents from transitions. □ 
Lemma CI c c' A>j c" => c Aj-j c" 

Proof. By inspection of the rules for — »j. Indeed when c' differs from c, this is due 
to having selected a specific branch in an external sum, or to having a ready a prefix 
instead of a singleton internal sum. In all cases leads to the same result. □ 

Lemma C2 For all processes Q and for all contracts c: 

QtfcAc^c' =► Q |=f c' 

Proof. We define a relation f^, as follows 

and then prove that it satisfies the conditions of Definition 15. This would imply that 
concides with (J-realizability, hence the statement of the lemma holds. 

When P%c is due to (J-realizability, clearly it satisfies the required conditions. The 
non trivial case is when for some d we have P \= c' and c' c. To check the condi- 
tions in this case, let P = Pq, ... be a {x, tell }-fair do-free trace. 

We proceed by cases on the transition c' c: 

- We have c' c = c' . Here, we get the conditions from P (= c = c'. 

- We have c' = £ a,- . c; — ->N ready a„ . c„ =c. Here, c' unblocks RD S (Pj ) as long as j 
is sufficently large. This implies that for such j, forall i we have a, £ RD s (Pj) U {e}. 
Hence, a„ 6 RD s (Pj) U {e}, which proves c = reaafv a„ . c„ unblocks RD s (Pj). 

For the second condition, assume Pj—^-aP' and that c c". Since c' c, by 

Lemma CI we get c' c". Since P |= c' ', we have that P' |= c", hence P'1{c" . 

- We have c' = a; c" — W» ready a . c" = c. Here, we proceed similarly to the above 
case. We get c' unblocks RD s (Pj) as long as j is sufficently large. This implies that 
for such j, we have a € RD s (Pj) U{e}. This proves c = ready a. c" unblocks RD s (Pj) 
The second condition follows exactly as per the previous case. □ 
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Lemma 7. For each (finite or infinite) stable -^-trace (S 1 ,-)/, with Si = (m,)(A[Q,] | 

there exists a -^^-trace Qo^^Qi^^Qi^i ■ ■ ■ where m = Jt if Sj A 5/+i, and 
fij = ctx otherwise. Moreover, if (5,-); is fair, then (<2i)» {t, tell }-fair. 

Proof. We proceed by induction on the number of steps. The base case (empty trace) is 
trivial. Otherwise, from the inductive hypothesis we obtain Q\ ^-^Qi • • • where the 

are as in the statement above. We now conclude by proving Qo — hQi> and its related 
property about /jq, by examining the possible cases for So — > Si . Note that in the stable 
trace the delimitations are brought to the top-level of Si, i.e. in (Si): this is done by the 
open(-) operator in the definition of — which we can therefore neglect below. 

- A did not move, but its context did. 

If some other participant performed a telUiv c, then we have Q\ =\. x c \ Qq. Then, 

ctx 

by the abstract semantics rules we get go — HQi- 

Otherwise, if some other participant performed a fuse r — , this can instantiate vari- 
able x in the whole system to the fresh name s. In this case Q\ = Qo{ s /x}, and 
indeed by the abstract semantics rules we have Qq— >uQo{ s /x} = Q\- 

In the other cases, we have Qo = Qi, and Qo— -hjQoO = Q\ is obtained by taking 
o = id. 

- A moved, firing prefix Jt. We consider two further subcases. 

• 71 = telU l.v c. This is possible when Qo = tell a \, x c.P + Q | R. In this case the 
residual Q\ is \. x A says c\P\R, and 2o~ directly follows from the abstract 
semantics rules. 

• K ^ telU — • This is possible when Qo = K.P + Q | R. In this case the residual 
Qi must be of the form (P | R)a, where o = id except when K = fuse v (j). In 
this case, o accounts for the resulting variable instantiations. Finally, Qo— >j(2i 
follows from the abstract semantics rules. 

We now verify that if the concrete trace is fair, then the abstract trace is {x, tel I }-fair. 
Indeed, if — 5>j is enabled from a certain step onwards, say from Qk, this means that there 

is an unguarded x prefix in Qi for all i > k. In that case we would have that Si A says T > 
for all i > k. Therefore, in the concrete trace eventually A performs a X. Hence, in the 
abstract trace a x is eventually performed. A similar reasoning applies to tell . □ 

Lemma C3 IfQ \=f c, and gAj Q 1 , then 

1. n ^ do, - => Q' h A c 

2. ii = do. s a A c A>j c' =>■ Q' h A c' 

Proof. For part 1, let T)' be any {x, tel I }-fair do-free trace Q' = Po^j^i^- • • • ■ Then, 
the trace r| defined as 

Q\Q' = Po^^ r -- 
is a {t, tell }-fair do-free trace of Q. 
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To check Definition 15 on the trace T|', is suffices to exploit the same definition on 
T|. Indeed, if Definition 15 applies to T|, it also holds for ri' which is a suffix. 

For part 2, consider any {t, tell }-fair do-free trace of Q. We have then Q =Po — H 
From Definition 15, part 2, taking i = Q,P' = Q', we get that 

Q = Po^Q'Ac\c> Q' he' 
which allows us to conclude. □ 

Theorem 5. Let (S,-),- be a stabler-trace with Si = (ui)(A[Qi] \s[A says ci Bsaysdj] \S'i) 
for all i. IfcQtxido and Qo Co, then Qi |= A Cjfor all i. 

Proof. By Lemma 7, (Qi)i forms an abstract — >j-trace, whose labels /j,- are of the form 

. r A says K 

K if Si ■ — > Sj + i, and ctx otherwise. 

The compliance of c, and dj is preserved at each step by Def.3. The fact that Qi 
{(-realizes c, is also preserved by steps Qi-^tQi+i, as we now prove by cases on fr. 

- In the case /j,- = ctx, we get that Qi+\ realizes c; by Lemma C3, item 1. If c,-+i = c,- 
then Ci — &| c i+ i trivially holds; otherwise, it has been modified by the context and 

ctx 

by Lemma 6, item 2, since c,- cxi dj we again have c,- — -»j c, + i . From that, we apply 
Lemma C2 to obtain that Qi+\ also [(-realizes c,+i. 

- Otherwise, /j, = Jt, Sj — — "> and Qi^-»Qi+\. We consider two further sub- 
cases. 

Tr ■ . A m>'i do., a _ _,, , . , ... 

• If fJi = do, a, then 5, ■ > The latter is due to a transition in con- 
tracts of the form A says c; | B says dj A — a » A says c i+ i | B says di + \. So 
by Lemma 6, item 1, we have that c,- Ah| c,+i. Hence Qi+i (J -realizes c, + i by 
Lemma C3, item 2. 

• If /Ji ^ do s — , we have c;+i = c, because A did not perform any action in session 
s. Hence, we get that Qi+\ jl-realizes Cj = c, + i from Lemma C3, item 1. □ 

Lemma C4 For all P, Q, A, /j, ifP \ Q^W then W =P'\Q' and 3a .P' =PoV (p = 

%.Pi+R x \ P 2 AP'={Pi |P 2 )o). 

Moreover, if (Pi \ Qi)i is a {t, tel I }-fair -^^-trace without do s — where Pq = P and 
Qo = Q, then (Pi)i is a {x,tell }-fair -^r^-trace without Ao s — from P. 

Proof. The proof of the first part easily follows by case analysis on the rules in Figure 4 
observing that the abstract semantics does not allow parallel processes to interact. 
To prove that (P,),- is a {x,tell }-fair — >j-trace without do 4 — from P it suffices to 
p A 

note that any transition P, | Qj— >jj | Qi+i due to a prefix in Qi can be replaced with 

ctx A 

a transition Pi—^t Pi+i with a suitable substitution. Fairness then trivially holds. □ 
Lemma C5 For all P, Q, A, s, c, ifP |= A c and Q is free from do s —, then P \ Q |= A c. 
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Proof. We prove that the relation 



3L={(P\Q,c) | P \=* c A Q is free from do, -} 

satisfies conditions 1 and 2 of Def. 15. 

Let (Pi | Qi)t be a {x,tell }-fair -trace without do s — where Pq—P and Qq = Q. 
By Lemma C4, (P,); is a {x,tell }-fair — >j-trace without do s — from P. Since Qo = Q is 
free from do,. RD S (Q{) = for each i; hence, (P,- | Qi) = RD s (Pi). This, observing 
that P c, yields that there is an index k such that c unblocks RD s (Pj | QA for each 
j>k. 

Finally, for each i, a, P', c' , if f, | Qi ° ja > |W and c c' then, by repeated appli- 
cation of Lemmata C4 and C3, W is of the form P' \ Qi with Q, without do s — (hence 

Pi^^f) and P' \=f c'. Therefore, (P' \ Qi,c') E %. which implies that condition 2 of 
Def. 15 holds. □ 

Lemma C6 For all P, A, s, c, ifP c and O is any substitution, then Po c. 

Proof. Since P^>jPo for any substitution o, the thesis is immediate from Lemma C3. 

□ 



Lemma 8. For all ^-honest participants A[P], such that P = open(P): 

1. //•p te " BU '> tt P', then P'tyx} \=* c, for all s fresh in P. 

2. ifP^P', then A[P'} is ^-honest. 

Proof. For part 1, let C be a *-safe context, and let Q and R be processes such that 

P= C(te\\ B i x c.Q + R) (6) 

By Def. 16, either C(») = C'((x)») or C does not contain do v — . The former case is 
ruled out by P = open(P). (Notice that there exists at least a context C not of the form 
it.C'(») +R' | Q 1 with Jt ^ tell \. x c.) Therefore, there must be a context C = • | Q' such 
that (6) holds. Hence, P' = Q\Q' with Q{ s /x] \=f c and Q' free from do A - since A[P] 
is (J-honest and (6); therefore the thesis follows by Lemma C5. 

For part 2, by contradiction, assume P' is not jj-honest, then for suitable £?(•), x, c, 
Q' and R' 

P'=C(te\\ B UcQ' + R') A (open(Q'{s/x})¥=* c V C is not x-safe) (7) 

We proceed by case analysis to derive a contradiction. 

- If P = n.Q +Ri | P 2 , % was fired, and jc ^ tell A |y d then P' = open{Q \ P 2 )o 
for some substitution o. Hence, tel I b - c-Q! + R' is a sub-process of either of 
open(Q)o or open(P-i)Q. 

Note that, were o defined at x, we would have that tellsi.r c.Q' is under a delimi- 
tation in P', otherwise P' could not contain te\\/\l x c.Q' contradicting (7). Hence, 
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w.l.o.g. we can assume that o is not defined at x, otherwise we can a-convert the 
bound variable. 

Therefore there is a sub-process telle 4-* c.Q" +R" of P such that 

open(te\\ B lx c.Q" +R")o = te\\ B U c.Q' + R' 

namely there is a context Cp(*) such that P = Cp(telle i x c.Q" +R"), where Cp{») 
is *-safe by {[-honesty of A[P]. Observe that telleix c.Q" + R" cannot occur right 
under a delimitation of x, otherwise that would imply that C(*) is Jt-safe. This is im- 
possible because we would have that open(Q' { s /x}) c. However, by ((-honesty 
of A[P], we have open{Q" { s /x}) |=* c hence 

open{Q"{s/ x }) = pen{Q'{s/x}) (=* c 

by Lemma C6 since { s /x}g = C?{ s /a} because x is not assigned by o. This proves 
that telle -I* C -Q" + R" cannot occur right under a delimitation of x in Cp. 
Moreover, if do v — does not occur in &>(•), then it can not occur in C{») as well, 
since transitions can not introduce it. 

From the above cases, we conclude that Cp is not x-safe, therefore P is not jj-honest — 
contradiction. 

- If P = n.Q + Ri | P 2 and Jt = tell A |y c' then P' = open{^ A says d \ Q\ P 2 ) and 
the proof proceeds as in the previous case. 

- If P^>j; l x > B says c | P with B ^ A, then since no latent contracts of the form 
l y A says d occur in A[P], then this also holds for A[P']. By contradiction, were 
A[4-y B says c \ P] non-jj-honest then also A[P] would be such. This is because 
C (te\\ a l x c.Q' + R') =4y B says c \ P implies that C(») =|y Bsaysc \ C'{») with 
P=C'(te\\ A lx c.Q' + R'). 

- If P^VjPo and Pa = C(telle ix c.Q'+R') then, as we did in the first case, w.l.o.g. we 
can assume o to be undefined at x. Then, there is telle ix c.Q" +R" and a context 
£>(•) such that (telle U c.G"+i?")a = tell B 4* c.Q'+R' md P = Cp (te\\ B U c.Q" + 
R"). Then the thesis is obtained as in the first case. □ 



Lemma C7 //A- S S and S A S' then A - S S' 



Proof. By inspection of the semantics rules. In system S, consider the unilateral contract 
c of A in s. If c performs an e move, it changes into E and the thesis follows trivially. 
Otherwise, c can not start with ready a,a^e, since we have A^ S S. So, c either moves 
according to a [*Fail] rule, or causes a ready a, a 7^ e to appear in front of the other 
contract in session s. In both cases, we have A ^ S S'. □ 
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Theorem 6. All ^-honest participants are honest. 

Proof. By contradiction, assume that A[P] is not honest. By Def. 11, there exists S" 
(free from contracts of the form A says c) such that A is not honest in S = A[P] | S'. 
By Def. 11, there exists a — !>-trace S — !>* So and a {A says ■ ■ ■ }-fair A-solo — !>-trace 
S n ,S n +i, . . . such that Ax Si for all ; > n. W.l.o.g. assume that such trace is stable. 

Note that, in the A-solo trace S n — > S„+i sessions can only be initiated be 

the participant A. Since the environment of A in S n contains a. finite number of frozen 
contracts, and since sessions can only be established between two different participants, 
then a finite number of sessions appears in S n — > S n +\ By Lemma C7, for all 

sessions s', if A^yS,-, then A^/5j+i, i.e. A cannot become culpable by means of her 
own actions. Therefore, there exists a session s and n s > n such that A x S S, for all i > n s . 

Therefore, s contains a contract advertised by A at some step t < n, which has been 
fused at some step /, for t < f <n, i.e. the trace has the form: 

So -^ Amy ' Vte " K H (Ut) A[Q t ] | K[U A says c\-]\S, 

-»* ) (u f ) A[Q f ] | K[- • •] | s[A says c f \ B says d f ] \ S f 

^* S„ -)>*■■■ 

where Cf = c. By rule [Fuse], Cf ix df, and since compliance is preserved by — >- 
transitions, c,- ex: d, for all ; > /. By Lemma 7, there exists a {x,tell }-fair — ^-trace: 

where ^ = n iff Si Am '' sji > 5,-+ 1 

Note that Qi = open(Qj), because the trace is stable. Then, by Lemma 8 (item 2), A[Qj] 
is jj-honest for all i. By Lemma 8 (item 1) Q t { s /x] c. By Lemma C3 (item 1), for all 
i e [tj - 1], Qityx} \=f c. By Theorem 5, for all i > /, g,- |=f c,-. Since c,- cx dj for all 
i, then by Lemma 3 it follows that c, ^ for all i. Then, by Theorem 3 (used contrapos- 
itively), there exists d > f such that m ^ do s — for all i > d. Then, by Def. 15 (item 1), 
there exists k > d such that c, unblocks RD s {Qi) for all i > k. Therefore by Lemma 5 it 
follows that A ^ s Sk or S^ A sa -^ d ° ia ^ ], U ( note ^ at /\ ^ ^ j s f a j se by hypothesis. Hence, 
since the — s>-trace is fair, then the prefix do s a should be eventually fired — contradic- 
tion, because the trace no longer contains labels A says do s — after the d-th step. □ 
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